Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 613550 (CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464) - <net-misc/ntp-4.2.8_p10: multiple vulnerabilities
Summary: <net-misc/ntp-4.2.8_p10: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://support.ntp.org/bin/view/Main/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-22 15:21 UTC by Thomas Deutschmann
Modified: 2017-10-20 11:48 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/ntp-4.2.8_p10-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-22 15:21:38 UTC
ntp-4.2.8p10 was released on 21 March 2017.

    Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP: Denial of Service via Malformed Config (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3386: NTP-01-011 NTP: ntpq_stripquotes() returns incorrect Value (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3385: NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3384 / CVE-2017-6455 / VU#325339: NTP-01-009 NTP: Windows: Privileged execution of User Library code (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3383 / CVE-2017-6452 / VU#325339: NTP-01-008 NTP: Windows Installer: Stack Buffer Overflow from Command Line (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3382 / CVE-2017-6459 / VU#325339: NTP-01-007 NTP: Windows Installer: Data Structure terminated insufficiently (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003 Improper use of snprintf() in mx4200_send() (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002 Buffer Overflow in ntpq when fetching reslist (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3376: NTP-01-001 Makefile does not enforce Security Flags (Pentest report 01.2017)
        Reported by Cure53. 
    Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin
        Reported by Matthew Van Gundy of Cisco ASIG.
Comment 1 Michael Weber (RETIRED) gentoo-dev 2017-03-22 22:51:34 UTC
Umm, 

/bin/sh ../libtool  --tag=CC   --mode=link x86_64-pc-linux-gnu-gcc  -ffunction-sections -fdata-sections -Wall -Wcast-align -Wcast-qual -Wmissing-prototypes -Wpointer-arith -Wshadow -Winit-self -Wstrict-overflow    -Wno-strict-prototypes -pie -fPIE -fPIC -fstack-protector-all -O1 -O2 -pipe -march=native  -z relro -z now -Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed -o ntpsnmpd netsnmp_daemonize.o ntpsnmpd.o ntpSnmpSubagentObject.o ntpsnmpd-opts.o ../ntpq/libntpq.a ../libntp/libntp.a -L/usr/lib64 -lnetsnmpmibs -ldl -lnetsnmpagent -lwrap -lnetsnmp -lcrypto -lm -Wl,--gc-sections  -lm -pthread -lssl -ldl -lz -lcrypto -ldl -lz ../sntp/libopts/libopts.la 
libtool: link: x86_64-pc-linux-gnu-gcc -ffunction-sections -fdata-sections -Wall -Wcast-align -Wcast-qual -Wmissing-prototypes -Wpointer-arith -Wshadow -Winit-self -Wstrict-overflow -Wno-strict-prototypes -pie -fPIE -fPIC -fstack-protector-all -O1 -O2 -pipe -march=native -z relro -z now -Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed -o ntpsnmpd netsnmp_daemonize.o ntpsnmpd.o ntpSnmpSubagentObject.o ntpsnmpd-opts.o -Wl,--gc-sections -pthread  ../ntpq/libntpq.a ../libntp/libntp.a -L/usr/lib64 -lnetsnmpmibs -lnetsnmpagent -lwrap -lnetsnmp -lm -lssl -lcrypto -ldl -lz ../sntp/libopts/.libs/libopts.a -pthread
/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../ntpq/libntpq.a(libntpq_a-libntpq.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../ntpq/libntpq.a(libntpq_a-libntpq_subs.o): relocation R_X86_64_32 against symbol `g_varlist' can not be used when making a shared object; recompile with -fPIC
/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../ntpq/libntpq.a(libntpq_a-libntpq_subs.o): warning: relocation against `free@@GLIBC_2.2.5' in readonly section `.text'
/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Comment 2 Michael Weber (RETIRED) gentoo-dev 2017-03-22 22:56:31 UTC
(In reply to Michael Weber from comment #1)
> Umm, 

nvm, apparently fixed by 

commit 494143c3b4921a5c8b8596d58f2c8b98296bf688
Author: Patrick McLean <chutzpah@gentoo.org>
Date:   Wed Mar 22 11:52:01 2017 -0700

    net-misc/ntp: Add patch to fix build with gcc-4.9
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-24 06:15:34 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Reuben Farrelly 2017-03-29 01:37:57 UTC
The ntp-4.2.8_p10 ebuild in the tree currently does not include the libressl patch that was included in the ntp-4.2.8_p9 ebuild.  This is a problem because the _p10 ebuild does not build with libressl (for the same reasons as the _p9 did not build without the patch).

The impact of this is that users like myself with libressl installed cannot upgrade to this ebuild and thus have to remain vulnerable.  IMHO this needs to be fixed before we can stabilise the package.
Comment 5 Patrick McLean gentoo-dev 2017-03-31 00:14:26 UTC
commit ce3be83bafb6e93161bf5808ffe097d53655f6b0
Author: Patrick McLean <chutzpah@gentoo.org>
Date:   Thu Mar 30 17:12:55 2017 -0700

    net-misc/ntp: Add patch to build 4.2.8_p10 with libressl

    Package-Manager: Portage-2.3.5, Repoman-2.3.2
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-30 16:35:24 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2017-06-03 06:57:27 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Will call for stabilization on June 17 if not done by maintainer before.
Comment 8 Matthias Maier gentoo-dev 2017-06-07 15:01:35 UTC
Security, please fix CVE-2017-9042 - this is a binutils CVE [1,2] tracked by [3]. Removing alias.

[1] https://access.redhat.com/security/cve/cve-2017-9042
[2] https://nvd.nist.gov/vuln/detail/CVE-2017-9042
[3] https://bugs.gentoo.org/show_bug.cgi?id=618826
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-06-07 16:14:32 UTC
@ Arches,

please test and mark stable: =net-misc/ntp-4.2.8_p10-r1
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-08 10:16:56 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-09 10:20:19 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-06-10 13:45:54 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-06-10 15:12:49 UTC
ia64 stable
Comment 14 Markus Meier gentoo-dev 2017-06-12 18:52:07 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-06-13 12:32:13 UTC
ppc64 stable
Comment 16 Tobias Klausmann gentoo-dev 2017-06-20 14:58:29 UTC
Stable on alpha.
Comment 17 Agostino Sarubbo gentoo-dev 2017-06-21 11:58:07 UTC
ppc stable
Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:55:21 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 19 Sergei Trofimovich gentoo-dev 2017-09-26 21:24:42 UTC
hppa stable
Comment 20 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:26:46 UTC
@maintainers, please clean the vulnerable versions.
Comment 21 Lars Wendler (Polynomial-C) gentoo-dev 2017-10-20 09:05:53 UTC
commit 6d5d02e1341ffa76de4b26a6963d99699afba0c6 (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Oct 20 11:05:20 2017

    net-misc/ntp: Security cleanup (bug #613550).

    Package-Manager: Portage-2.3.12, Repoman-2.3.3